Section 7.2.2: Lock down specific projects controller actions for admins only

Author: Ryan Bigg

ticketee/app/helpers/application_helper.rb

@@ -6,4 +6,8 @@ def title(*parts)
       end
     end
   end
+
+  def admins_only(&block)
+    block.call if current_user.try(:admin?)
+  end
 end

ticketee/app/views/projects/index.html.erb

@@ -1,4 +1,6 @@
-<%= link_to "New Project", new_project_path, class: "new" %>
+<% admins_only do %>
+  <%= link_to "New Project", new_project_path, class: "new" %>
+<% end %>
 
 <h2>Projects</h2>
 <ul>

ticketee/app/views/projects/show.html.erb

@@ -3,18 +3,19 @@
 <h1><%= @project.name %></h1>
 <p><%= @project.description %></p>
 
-<%= link_to "Edit Project",
-    edit_project_path(@project),
-    class: "edit" %>
+<% admins_only do %>
+  <%= link_to "Edit Project",
+      edit_project_path(@project),
+      class: "edit" %>
 
-
-<%= link_to "Delete Project",
-     project_path(@project),
-     method: :delete,
-     data: { confirm:
-               "Are you sure you want to delete this project?"
-           },
-     class: "delete" %>
+  <%= link_to "Delete Project",
+       project_path(@project),
+       method: :delete,
+       data: { confirm:
+                 "Are you sure you want to delete this project?"
+             },
+       class: "delete" %>
+<% end %>
 
 <%= link_to "New Ticket",
    new_project_ticket_path(@project),

ticketee/spec/controllers/projects_controller_spec.rb

@@ -1,6 +1,28 @@
 require 'rails_helper'
 
 RSpec.describe ProjectsController, :type => :controller do
+  let(:user) { FactoryGirl.create(:user) }
+
+  context "standard users" do
+    before do
+      allow(controller).to receive(:current_user).and_return(user)
+    end
+
+    { new: :get,
+      create: :post,
+      edit: :get,
+      update: :put,
+      destroy: :delete }.each do |action, method|
+
+      it "cannot access the #{action} action" do
+        send(method, action, :id => FactoryGirl.create(:project))
+
+        expect(response).to redirect_to(root_path)
+        expect(flash[:alert]).to eql("You must be an admin to do that.")
+      end
+    end
+  end
+
   it "displays an error for a missing project" do
     get :show, id: "not-here"
 

ticketee/spec/features/deleting_projects_spec.rb

@@ -1,6 +1,10 @@
 require "rails_helper"
 
 feature "Deleting projects" do
+  before do
+    login_as(FactoryGirl.create(:admin_user))
+  end
+
   scenario "Deleting a project" do
     FactoryGirl.create(:project, name: "Sublime Text 3")
 

ticketee/spec/features/editing_projects_spec.rb

@@ -2,6 +2,7 @@
 
 feature "Editing Projects" do
   before do
+    login_as(FactoryGirl.create(:admin_user))
     FactoryGirl.create(:project, name: "Sublime Text 3")
 
     visit "/"

ticketee/spec/features/hidden_links_spec.rb

@@ -0,0 +1,60 @@
+require "rails_helper"
+
+feature "hidden links" do
+  let(:user) { FactoryGirl.create(:user) }
+  let(:admin) { FactoryGirl.create(:admin_user) }
+  let(:project) { FactoryGirl.create(:project) }
+
+  context "anonymous users" do
+    scenario "cannot see the New Project link" do
+      visit "/"
+      assert_no_link_for "New Project"
+    end
+
+    scenario "cannot see the Edit Project link" do
+      visit project_path(project)
+      assert_no_link_for "Edit Project"
+    end
+
+    scenario "cannot see the Delete Project link" do
+      visit project_path(project)
+      assert_no_link_for "Delete Project"
+    end
+  end
+
+  context "regular users" do
+    before { login_as(user) }
+    scenario "cannot see the New Project link" do
+      visit "/"
+      assert_no_link_for "New Project"
+    end
+
+    scenario "cannot see the Edit Project link" do
+      visit project_path(project)
+      assert_no_link_for "Edit Project"
+    end
+
+    scenario "cannot see the Delete Project link" do
+      visit project_path(project)
+      assert_no_link_for "Delete Project"
+    end
+  end
+
+  context "admin users" do
+    before { login_as(admin) }
+    scenario "can see the New Project link" do
+      visit "/"
+      assert_link_for "New Project"
+    end
+
+    scenario "can see the Edit Project link" do
+      visit project_path(project)
+      assert_link_for "Edit Project"
+    end
+
+    scenario "can see the Delete Project link" do
+      visit project_path(project)
+      assert_link_for "Delete Project"
+    end
+  end
+end

ticketee/spec/rails_helper.rb

@@ -18,7 +18,7 @@
 # directory. Alternatively, in the individual `*_spec.rb` files, manually
 # require only the support files necessary.
 #
-# Dir[Rails.root.join("spec/support/**/*.rb")].each { |f| require f }
+Dir[Rails.root.join("spec/support/**/*.rb")].each { |f| require f }
 
 # Checks for pending migrations before tests are run.
 # If you are not using ActiveRecord, you can remove this line.

ticketee/spec/support/capybara_helpers.rb

@@ -0,0 +1,15 @@
+module CapybaraHelpers
+  def assert_no_link_for(text)
+    expect(page).to_not(have_css("a", :text => text),
+      "Expected not to see the #{text.inspect} link, but did.")
+  end
+
+  def assert_link_for(text)
+    expect(page).to(have_css("a", :text => text),
+      "Expected to see the #{text.inspect} link, but did not.")
+  end
+end
+
+RSpec.configure do |config|
+  config.include CapybaraHelpers, :type => :feature
+end